Welcome to the new EDPS blog. We will be writing here from time to time about the big issues in the world of data protection and privacy. We hope it will be of interest to you, and please don’t hesitate to give us your feedback.

Data Protection and the EU institutions

15 March 2017, By Giovanni Buttarelli

A new generation of data protection standards is being promulgated by the European Union. Almost one year ago, the adoption of the General Data Protection Regulation (GDPR) and the Directive for the police and justice sectors represented the most ambitious endeavour of the EU legislator so far to secure the fundamental rights of the individual in the digital era. 

Now is the time for EU institutions themselves to lead by example in the rules that they apply to themselves as  controllers and processors. Over the past 18 months the EDPS has initiated dialogue with EU institutions at the highest level to prepare them for the new challenges on data protection compliance, emphasising the new principle of accountability for how data is processed. 

Read more

Priorities for providing advice in 2017: acting as an adviser to the EU legislator

15 February 2017, by Giovanni Buttarelli

Today we publish the priorities for our policy and consultation role in 2017.

The highlight of last year was the adoption of the new European data protection framework: the GDPR and the directive on data protection in law enforcement and criminal justice. Our work, however, does not end here. It is now time to make sure that the same robust rules apply to EU institutions and bodies, so they can lead by example in compliance and accountability. We will also continue to work closely with the European Commission, the Council and the European Parliament in order to ensure that future-proof data protection rules protect the confidentiality of next generation electronic communications tools.

Read More

An ethical approach to fundamental rights

1 December 2016, by Giovanni Buttarelli

If you believe the words sometimes attributed to Gandhi, law is codified ethics. But effective laws and standards of ethics are guidelines accepted by members of a society, and these require a social consensus. I believe that technology is changing or at the very least influencing our ethics and it’s a phenomenon we need to urgently address.

On 31 May this year, I wrote about the first EDPS-Ethics Advisory Group (EAG) workshop that was taking place that day as part of a broader discussion we were launching, both in the EU and globally, on the digital environment and its ethical implications.

I am delighted at the workshop’s success and the feedback we received on it. I know that the work of the Group will yield tangible results in due course.

Read More

Breaking the rules: conducting administrative inquiries in the EU institutions

18 November 2016, by Wojciech Wiewiórowski

All EU staff are obliged to abide by their Staff Regulations, which outline the rules, principles and working conditions expected from them. But what happens if an EU staff member breaks these rules?

A breach of the rules might be intentional or simply negligent. Examples include psychological or sexual harassment, a staff member carrying out external activities without permission during office hours, a conflict of interest, or suspicion that a staff member is recording more hours on his timesheet than he is actually working. However, though the Staff Regulations help us to identify when someone has broken the rules, they remain silent on how the EU institutions should deal with these cases.

Read more

An ancient city looking to the future: The 38th International Privacy Conference in Marrakech

15 November 2016, by Giovanni Buttarelli

The ancient city of Marrakech was founded by the Almoravid dynasty at the beginning of the 11th century, as a centre for trade and craftsmanship. One century later, another mythical city, Timbuktu, was founded for similar reasons, in what is now known as the sub-Saharan state of Mali. As the location of the 38th International Privacy Conference, Marrakech aimed to set a precedent once again, this time through opening up the doors to privacy beyond the western world. The Conference took place from 17-20 October this year and the EDPS once again played an active part.

Read more

A smart approach: counteract the bias in artificial intelligence

8 November 2016, By Giovanni Buttarelli

Despite its name, artificial intelligence (A.I.) is a reality and though much hyped, has woven its way into everyday life: navigation systems, spam filters, weather forecasts to name but a few. Such is the potential influence of A.I. that it can be found on the political agenda and both the White House  and the House of Commons  have published reports on the subject.

This amount of attention shows that it is not too early to talk about the impact of A.I. Its application is already quite widespread and its effects on data protection and privacy are evident. Investing now to consider the societal impact and related ethical issues will not slow down innovation but will provide a sound foundation for further development.

Read more

Data protection for digital communication

7 November 2016, By Wojciech Wiewiórowski

In October, the European Court of Justice ruled that, in many cases, the data collected by web servers, such as the IP addresses of users, is personal data. The decision underlined the need to put in place adequate safeguards to protect personal data when operating websites and other online services.

The EU institutions, and many other organisations, rely increasingly on online tools to communicate and interact with citizens. At the same time, the online transactions involved are becoming more complex. The implementation of effective data protection policies for the processing of all personal data used by web-based services is essential if we are to protect the rights of users. In particular, we need to address the use of cookies, online tracking, security and personal data transfers.

Read more

Assessing the impact of data protection: DPO-EDPS meeting in Alicante

28 October 2016, by Wojciech Wiewiórowski

Yesterday, the 40th meeting between the EDPS and the DPOs from the EU institutions and bodies took place at the European Union Intellectual Property Office (EUIPO) in Alicante. I congratulate EUIPO for hosting a very successful meeting, I truly valued the opportunity to interact with our data protection partners and reinforce our collaboration. 

Among the items on the agenda for discussion were Data Protection Impact Assessments (DPIAs), workshops on individuals’ right of access and restrictions to that right, as well as on two newly adopted EDPS guidelines on mobile devices and web services. There are a number of newly appointed DPOs so we also ran a much-appreciated workshop for them on the practical application of the principles of the current Data Protection Regulation that applies to the EU institutions and bodies.

Read more

Big data rights: Let’s get together

6 October 2016, by Giovanni Buttarelli

Last week, in partnership with our co-hosts, the European Consumer Organisation, BEUC, we brought together high-level experts from across a spectrum of policy areas to talk about the future of our freedom and privacy online. It was a full house of regulators, legal counsel, technologists and non-government organisations, and a full day of intense debate ranging between subjects as diverse as merger control, indigestible privacy policies and encryption.   We also had over 500 people following the discussions via live webstream, with the recording available shortly.

It was an honour to include among our group of excellent speakers EU Competition Commissioner Margrethe Vestager and US Federal Trade Commission Terrell McSweeny. Each of these leading competition enforcers emphasised the potential for growth and competitiveness of data driven technologies and ground breaking business models. But they also recognised the growing importance in competition enforcement of data, the centrality of privacy protection to trust in web-based services, and the duty of regulators to work together to make sure that the online world develops in the interests of the individual and society.

Read more

Accountability needs technology!

8 September 2016, by Wojciech Wiewiórowski

From the very beginning, data protection has been about the processing of personal data by means of technology. When the first data protection laws were adopted in the 1970s, computers were just starting to become standard tools in business and public administration. The Internet had just been invented and was only accessible to a few researchers and computer specialists. But still, the founders of data protection saw the big possibilities and the dangers of uncontrolled collection, analysis and evaluation of personal data with the help of the still emerging technologies and they managed to convince legislators to enact a set of controls and safeguards to protect fundamental rights.

Over the last 40 years, the technological tools for data processing have grown in capabilities and availability, the amounts of data processed have increased by astronomical orders of magnitude. Data protection authorities have long realized that technology can not only be the tool for processing but that it must also contribute to implementing the safeguards and the principles of data protection. The EDPS strategy 2015-2019 demands that “Data protection goes digital”.  

Read more

Re-focusing on the human dimension of data protection

21 June 2016, by Wojciech Wiewiórowski

Let's imagine a six-year old child that has crossed the Mediterranean Sea in an inflatable boat, fleeing the horrors of war, and safely arriving on the coasts of the EU. It's hard to tell what will await her here. We don't know whether she will be allowed to stay, and if she stays where she will go or whether she will escape xenophobia. But one thing is certain. Irrespective of whether she will be allowed to stay or not, it seems that the child will have to give her fingerprints to be registered as an asylum seeker as soon as she arrives.

A six year old child, fleeing from war, surviving the sea, will be fingerprinted and entered into a database to which all EU Member States have access - if the current plans to reform Eurodac press ahead. Collecting and storing a person’s biometric data is a matter of fundamental rights – to which persons seeking asylum in the EU are entitled as much as any EU citizen.

Read more

Data Protection in Practice

16 June 2016, By Giovanni Buttarelli

The new EU General Data Protection Regulation that was adopted earlier this year is a landmark in human rights law. Designed to grapple with the realities of global, ubiquitous data in the internet era, it should provide increased legal certainty for both individuals and organisations processing data and greater protection for the individual in general.

Like our sister Data Protection Authorities throughout the EU, the EDPS has been bombarded with requests from industry groups, NGOs and think tanks for insights into what will happen next. How will the regulatory reforms be implemented in practice? Will we all be able to provide timely and relevant guidance?

Read more

The Accountability Initiative

7 June 2016, By Giovanni Buttarelli

Privacy and data protection matter more than ever to people. For this reason, the General Data Protection Regulation (GDPR) is one of the EU's greatest achievements in recent years since it seeks to ensure effective data protection in the digital age.

The GDPR brings with it a quantum shift in emphasis on who is responsible for ensuring that our right to data protection is fully respected. The GDPR includes an explicit reference to accountability as a principle and requires appropriate technical and organisational measures be put in place by organisations. In other words, organisations and not Data Protection Authorities or Data Protection Officers must demonstrate that they are compliant.

Read more

Big Brother, Big Data and Ethics

31 May 2016, By Giovanni Buttarelli

Privacy is dead they say.

But of course it isn’t. It is well and truly alive. Regardless of how much we share on social media, in reality we are still selective about what we do share. Even online, we find ways to secure, conceal or protect ourselves whether through ad blockers, security settings, the dark web or other ways. That is privacy.

While technology and the internet influences the way we behave, there is no evidence it has diminished our values as a society. So much so, that the EU continues to uphold our fundamental rights to privacy and data protection.

As technologies and personal data become ever more intertwined, the need for an ethical reflection on our fundamental rights, technology, markets and business models is long overdue.

Read more

Time for Europe's data protection authorities to raise their game

26 May 2016, By Giovanni Buttarelli

Today and tomorrow Wojciech and I are attending the Annual Conference of European Data Protection Authorities, what insiders call the ‘Spring Conference’, which this year is hosted in Budapest by the Hungarian National Authority for Data Protection and Freedom of Information. I was given the honour by the President of the authority, Attila Péterfalvi, of delivering the opening keynote speech this morning, in which I called on all independent European data protection authorities to rise to the challenge of the great reforms in the legal frameworks which are taking place this year.

Read more

GDPR requires DPOs: EU institutions leading by example

27 April 2016, By Wojciech Wiewiórowski

As you know, the General Data Protection Regulation was finally adopted two weeks ago after lengthy negotiations - a victory for the protection of fundamental rights in Europe. The Regulation requires public authorities - and, in some cases, private companies - to appoint a data protection officer, DPO. The DPO's job will be to watch over in an independent manner how data is stored, used and shared and to advise their organisation on data protection issues. According to an estimate by the International Association of Privacy Professionals, the GDPR will result in European governments and businesses requiring about 28 000 data protection officer posts. One can therefore reasonably expect that data protection professionals will be in high demand in the coming months as European authorities and companies respond to the requirements of the Regulation.

Read more

One giant leap for digital rights

15 April 2016, By Giovanni Buttarelli

So a bit of history was made yesterday. The adoption by the European Parliament of the General Data Protection Regulation, following the decision by the Council last week, is quite simply a landmark in human rights law. It is the biggest attempt so far by a legislator to grapple with the realities of global, ubiquitous data in the internet era.

'The processing of personal data,' according to Recital 4 of the Regulation, 'should be designed to serve mankind'.  The GDPR is very long and very detailed, but at its core is the individual - and the preservation of her dignity in the digital society.

Read more

The EU GDPR as a clarion call for a new global digital gold standard

1 April 2016, By Giovanni Buttarelli

Raising the bar for data protection

The General Data Protection Regulation (or GDPR) is going to raise the bar for data protection laws around the world. Like other data protection authorities, we were closely involved in the policy discussions, though not in the negotiations. (See our opinions in 2012 and then 2015 also in the form of a mobile app.) Political agreement was reached in December 2015, and the text is expected to become law before the summer.

We believe we have had some influence over the process, but we do not pretend that the final outcome is perfect, and in some ways it is quite far from the ideal.  Nevertheless we intend to be among the loudest champions of this reform, which is quite simply, and by a long way, the most ambitious endeavour so far to secure the rights of the individual in the digital realm for a generation.

Read more

  • 25 März 2017

    60th anniversary of the Rome Treaties. Giovanni Buttarelli to participate in the meeting of the 27 EU heads of state and heads of European Union institutions in Rome, Italy.

  • 15 März 2017

    Data Protection and the EU institutions. Read the latest blogpost by Giovanni Buttarelli and the EDPS Opinion.

  • 15 März 2017

    EDPS sees opportunity for stronger consumer and data protection. Read the EDPS Opinion and the press release.

  • 13 März 2017

    2018 International Conference of Data Protection and Privacy Commissioners to be hosted in Brussels. Read the press statement.

  • 07 März 2017

    EDPS calls for consistent improvements in the approach to EU border policy. Read the EDPS Opinion and the press release.

  • 28 März 2017

    Giovanni Buttarelli meeting with Greg Nojeim, Senior Counsel and Director, Freedom, Security and Technology Project, Center for Democracy & Technology (CDT), Brussels, Belgium

  • 28 März 2017

    Giovanni Buttarelli meeting with Cornelia Ernst, MEP, Brussels, Belgium

  • 27 März 2017

    Processing of personal data  by the Union institutions, bodies, offices and agencies, Study group meeting, EESC, Participation of Giovanni Buttarelli, Brussels Belgium

  • 25 März 2017

    60th anniversary of the Rome Treaties, Participation of Giovanni Buttarelli in the meeting of the 27 EU heads of state and heads of European Union institutions, Rome, Italy

  • 23 März 2017

    Forum on International Privacy Law, Participation of Wojciech Wiewiórowski, Königstein, Germany

  • 23 März 2017

    Participation of Giovanni Buttarelli in DAPIX, Brussels, Belgium

  • 23 März 2017

    Concurrences Review, Law & Economics Workshop: Big Data, Speech by Giovanni Buttarelli, Brussels, Belgium

  • 13 März 2017

    Regulating Privacy through Ethical Standards and Accountability Principles in the era of Big Data, Keynote speech of Wojciech Wiewiórowski: Towards a new digital ethics – data, dignity and technology: How to ensure accountability in personal data management?, Brussels, Belgium